Last week saw Apple release MacOS Catalina version 10.15.5; a surprising move so close to the Virtual WWDC later this month and the expected announcement of MacOS 10.16. Nevertheless Tim Cook and his team pushed out the update with a number of security updates, and the addition of the battery health software.
The surprises keep on coming, with a ‘supplemental release’ today of 10.15.5 with ‘important security updates’.
Apple’s support pages offer more details on the changes, which have been made to the kernel:
- Available for: macOS High Sierra 10.13.6, macOS Catalina 10.15.5
- Impact: An application may be able to execute arbitrary code with kernel privileges
- Description: A memory consumption issue was addressed with improved memory handling.
- CVE-2020-9859: unc0ver
The nature of the changes and the inclusion of MacOS High Sierra suggests that either something has slipped through the quality control net, or a serious exploit has come to Apple’s attention in the last few days.
Speculation will no doubt fall on the ‘Sign In With Apple’ flaw which saw Apple pay a $100,00 bounty. Forbes’ Davey Winder:
“With the vulnerability already now patched by Apple on the server-side, Bhavuk Jain published his disclosure of the security shocker on May 30. Although the vulnerability related only to third-party apps which used Sign in with Apple without taking any further security measures, it’s shocking for two reasons.”
Those reasons being the breadth of the attack and what it could open up to a hacker, and Apple’s inability to catch this flaw during testing.